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(57) ABSTRACT 

The present invention is a method for detecting and isolating 
fault modes in a system having a model describing its behav- 
ior and regularly sampled measurements. The models are 
used to calculate past and present deviations from measure- 
ments that would result with no faults present, as well as with 
one or more potential fault modes present. Algorithms that 
calculate and store these deviations, along with memory of 
when said faults, if present, would have an effect on the said 
actual measurements, are used to detect when a fault is 
present. Related algorithms are used to exonerate false fault 
modes and finally to isolate the true fault mode. This inven- 
tion is presented with application to detection and isolation of 
thruster faults for a thruster-controlled spacecraft. As a sup- 
porting aspect of the invention, a novel, effective, and effi- 
cient filtering method for estimating the derivative of a noisy 
signal is presented. 
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MODEL-BASED FAULT DETECTION AND 
ISOLATION FOR INTERMITTENTLY 

ACTIVE FAULTS WITH APPLICATION TO 
MOTION-BASED THRUSTER FAULT 
DETECTION AND ISOLATION FOR 
SPACECRAFT 

This application claims the benefit of the filing date of the 
previously filed provisional patent application, No. 60/468, 
411, filed on May 6, 2003. 

FEDERALLY SPONSORED RESEARCH 

This invention was made with Government support under 
contract number NAS2-00065 awarded by NASA. The Gov- 
ernment has certain rights in the invention. 

COMPUTER PROGRAM LISTING COMPACT 
DISK APPENDIX 

Selected files used to implement a simulation of the inven- 
tion, as applied to a thruster controlled spacecraft, are pro- 
vided in MATLAB m-code on CD-R. All code is copyright 
Edward Wilson. One original and one identical copy are 
provided. Machine format: IBM PC/XT/AT, or compatibles. 
Operating system compatibility: MS-Windows. Line Termi- 
nator: ASCII Carriage return plus ASCII Line Feed. Control 
codes: none. Compression: uncompressed data. A printed 
listing of the files on the CD-R is also provided as an appendix 
to this specification. 

BACKGROUND OF THE INVENTION 

1. Background — Field of the Invention 

The present invention relates generally to information pro- 
cessing systems that are used to detect and isolate anomalies 
(or fault detection and isolation — FDI), and more specifically 
to an information processing system that monitors motion- 
related sensors to accurately detect and isolate the presence of 
thruster faults. Whereas FDI is a broad field, tills invention 
presents a solution that is especially valuable when certain 
aspects are present: (1) when the faults that may appear are 
discrete and finite in number; (2) faults occur and appear 
abruptly and are not intermittent; (3) the effect of the faults are 
intermittently present (active) or absent (inactive) at known 
times; (4) the measurements of these effects are imprecise due 
to the complexity of the governing physics and presence of 
sensor noise and disturbances. Although the invention has 
applicability beyond, it was developed to solve a problem 
with these attributes: the detection (determining that a fault 
has occurred) and isolation (determining the exact type and 
location of the fault) of hard, abrupt, spacecraft thruster faults 
using only information from existing navigation sensors such 
as gyroscopes (gyros), accelerometers, star trackers, video 
cameras, sun sensors, horizon sensors, or other instruments 
whose output is affected by motions of the spacecraft. 

The solution approach falls under the classification of 
model-based diagnosis; in which models of the system in its 
nominal and (multiple) failed conditions are used to generate 
predictions of the system state variables or sensor outputs. 
Calculation and analysis of the deviations of the measure- 
ments from predicted values is performed to detect and isolate 
the correct fault mode from the list of possible modes. 

2. Backgroimd — Prior Art 

R. Isermann, in “Process Fault Detection Based on Mod- 
eling and Estimation Methods — A Survey,” Automatica , Vol. 
20, No. 4, pp. 387-404, 1984, presents several FDI 
approaches that perform well on a variety of applications. 


2 

However, the on-off nature of the thrusters present in the class 
of applications addressed here limits the viability of many 
general-purpose methods. For example, if a thruster has failed 
off, it will appear to be working correctly at all times that it is 
5 not commanded to fire. The present invention presents a gen- 
eral approach for this class of problems. 

The most common approach to detect and isolate space- 
craft thruster faults is to install pressure, temperature, and 
electrical sensors at the thrusters. The use of these additional 
1° sensors makes the FDI logic very simple and robust, since 
they can more directly detect when a thruster is producing 
thrust. However, the need for additional sensors adds to the 
cost, complexity, mass, and volume requirements of the 
spacecraft. This type of system is used, for example, on 
15 NASA’s Space Shuttle Orbiter. If such extensive sensing is 
not possible, most systems do not have automatic on-line 
thruster FDI capability. 

Deyst, J. J. and Deckert, J. C. proposed, and developed in 
simulation, a maximum-likelihood based approach for 
20 detecting leaking thrusters for the Space Shuttle orbiter’ s 
RCS jets in “Maximum likelihood failure detection tech- 
niques applied to the Shuttle RCS jets,' "Journal of Spacecraft 
and Rockets , vol. 13, no. 2, 65-74, February 1976. The 
method for detecting soft failures was also extended to detect 
25 hard RCS jet failures. It was tested and found to not have 
sufficient tolerance for model uncertainty and sensor noise to 
provide acceptable accuracy for example applications. How- 
ever, the maximum-likelihood method presented in that work 
serves as the core upon which this invention builds, increas- 
111 ing the accuracy by using information from all prior time. 

Lee, A. Y. and Brown, M. J. developed “A model-based 
thruster leakage monitor for the Cassini spacecraft,” In Pro- 
ceedings of the American Control Conference, 1998, vol. 2, 
pp 902-904, 1998. Unlike the present invention, this was 
J ' aimed at detecting constant leaks, not failures that would 
cause varying effects depending on whether the thrusters are 
commanded to fire or not. 

Wilson, E. and Rock, S. M., in “Reconfigurable control of 
40 a free-flying space robot using neural networks,” Proceedings 
of the .American Control Conference, Seattle Wash., June 
1995, developed an FDI method based on exponentially 
weighted recursive least squares estimation using accelerom- 
eter and angular rate sensors. As with the approach of Deyst 
4 _ and Deckert, this approach was found to have limited accu- 
racy, as compared to the system presented here. 

BACKGROUND— OBJECTS AND ADVANTAGES 

50 Disadvantages of the prior art are that it either requires the 
use of additional sensors, or does not provide the accuracy 
required of many thruster FDI applications. What is needed is 
a system that provides FDI that is accurate and timely, without 
requiring additional special purpose sensors. If existing navi- 
55 gational sensors can be used, then the FDI can be performed 
with a software-only on-board implementation, or from the 
ground, based on telemetered sensor data. Hard, abrupt, 
thruster failures resulting from a single point of failure (in 
valves, plumbing, electronics, etc.) are to be monitored. 
60 These can include single- or (simultaneously appearing) mul- 
tiple-jet failures in either a failed-on or failed-off condition. 

BRIEF SUMMARY OF THE INVENTION 

65 The present invention is a method for detecting and isolat- 
ing fault modes in a system having a model describing its 
behavior and one or more measurements that are sampled 
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regularly. In tills method, said models are used to calculate 
past and present deviations front measurements that would 
result from said system with no faults, as well as from said 
system with one or more potential said fault modes. Algo- 
rithms that calculate and store these deviations, along with 
memory of when said faults, if present, would have an elfect 
on the said actual measurements, are used to detect when a 
fault is present. Related algorithms are used to exonerate false 
fault modes and finally to isolate the true fault mode. 

A novel, effective, and efficient filtering method for esti- 
mating the derivative of a noisy signal is presented. This 
method is relevant to one application at hand, the FDI of 
spacecraft thruster faults using gyros, in which angular accel- 
eration is estimated from the noisy gyro measurements. The 
use of this filtering algorithm, storage of a number of mea- 
surements, correlation of this historical record with a similar 
record of when the faults are active or inactive, use of exon- 
eration algorithms, and integration of the entire FDI system 
comprise the novel aspects of the invention. 

BRIEF DESCRIPTION OF DRAWINGS 

FIG. 1 is a block diagram indicating the signals and steps 
used in FDI, as used in the prior art, where a separate model 
is used to calculate the deviation from measurement for each 
potential fault mode. 

FIG. 2 is a block diagram indicating the signals and steps 
used in FDI, as used in the prior art, where a separate model 
is used to calculate the expected deviation from nominal for 
each potential fault mode. 

FIG. 3 is a block diagram indicating a summarized portion 
of FIG. 2, which is prior art, and is used as part of the present 
invention. 

FIG. 4 is a signal-flow block diagram indicating the algo- 
rithmic processing used to generate the likelihood param- 
eters. 

FIG. 5 is a flow chart of a sample program used to imple- 
ment the FDI method. 

DETAILED DESCRIPTION OF THE INVENTION 

In FIG. 1, which shows a type of FDI in the prior art which 
is used as a basis for the present invention, measurements are 
processed following a measurement update (or set of mea- 
surements) by the filter element, 20, producing the estimated 
actual system outputs, 10. Inputs to the models, 22, 24, and 
26, may include actuator commands, state variables, etc. 22 is 
an accurate model of the nominal system. 24 is a model of the 
system in which fault mode 1 is present. Additional models 
will be used to represent each potential fault mode, up to 
mode N, modeled by 26. The model outputs from 22 are the 
predicted system outputs — nominal, 12, which are compared 
with 10 to produce the deviation from measured — nominal, 
14. Similarly, the fault mode models result in the deviation 
from measured — fault mode 1, 16, and the deviation from 
measured — fault mode N, 18. The idea of tills and many 
approaches to FDI, including the present invention, is to 
compare the measurements with a number of potential fault 
modes, choosing the fault mode that matches the measure- 
ments most closely as the true fault. One commonly used 
statistically based method for choosing which is closest is 
based on maximum likelihood theory, as explained in the 
prior art cited earlier. This threshold-based decision logic, 28, 
results in both fault detection and fault isolation decisions. 

In FIG. 2, also in the prior art, a slightly modified type of 
FDI is shown. While 14 is still calculated as before, the 
outputs from the various fault-mode models, 24 and 26, are 


4 

the Expected Deviation from Nominal — fault mode 1, 30, and 
the Expected Deviation from Nominal — fault mode N, 32. 
Thus models 24 and 26 can be made far simpler than their 
counterparts in FIG. 1. 

5 In FIG. 1, Deviation from measured — fault mode 1 is the 
deviation of the measured outputs from the outputs that would 
be predicted if fault mode 1 were true, so it is derived from the 
measurements. In FIG. 2, which may be chosen for the 
enhanced calculation efficiency if the specific application 
to allows it, the actual measurements are used only once — to 
calculate the deviation from that predicted by the nominal 
model. The Expected Deviation From Nominal — Fault mode 
1 is a value that is calculated, or may be looked up from a 
pre-calculated table, based on the inputs only. For example, if 
15 the inputs indicate that the mode will not be active at that time, 
the expected deviation would be zero, whereas if active it 
would be a pre-calculated value or vector of values. The 
similarity of the two approaches can be demonstrated by 
observing that 16 can be calculated as 14 plus 30. The sub- 
20 sequent 28 will be adjusted accordingly, depending on which 
of the two input approaches is used. The first one is more 
general, while the second one, when applicable, offers the 
potential for significant improvement in computational com- 
plexity with no loss of information. For simplicity, the inven- 
25 tion is presented using the method of FIG. 2, but the first 
method could be applied with appropriate minor modifica- 
tions in the subsequent processing. 

FIG. 3, also prior art, shows certain elements taken from 
FIG. 2 and summarized as the functional block, 42, which is 
30 the deviation calculator. Taking in measurements and inputs, 
it calculates 14, 30, and 32, which contain all the information 
on deviations of the various potential fault mode models. 42 
and its inputs and outputs, collectively, 40, the deviation 
calculator subsystem, is used directly as a component in the 
35 present invention and no novelty is claimed for that portion of 
the invention. 

FIG. 4 shows how the outputs of 40 are processed to pro- 
duce the likelihood parameters for each fault mode. One of 
the key concepts of the invention is to improve accuracy by 
40 explicitly checking the data at times when the fault mode, if 
present, should be causing a deviation from nominal, as well 
as checking at times when it should not be causing any devia- 
tion, even if it is present. Two terms are introduced to facilitate 
explanation of this concept: that of a fault mode being 
45 “active” or “inactive.” A fault mode is said to be active at a 
particular time if it would affect the system behavior if the 
mode were true. For example, if fault mode 1 is thruster 
number 1 failed off, and thruster 1 is commanded to fire, then 
fault mode 1 is active. A fault mode is said to be inactive if it 
50 would not affect the system behavior even if it were true. 
Continuing the previous example, if thruster 1 is not com- 
manded to fire, then fault mode 1 is inactive. Throughout this 
specification, the words “active” and “inactive” are used with 
these meanings only. Specifically “active” means that the 
55 effect of the fault mode would be observable if it were true, 
and conversely, “inactive” means that the effect would be 
unobservable, even if true. Since it is assumed that exactly 
one fault mode is true (possibly representing multiple faults), 
if a significant deviation from nominal is measured at a time 
60 when a fault mode is inactive, it implies that a different fault 
mode must be true, thereby indicating that the fault mode in 
question should be exonerated. Similarly, if no deviation from 
nominal is measured at a time when a particular fault mode is 
active, it implies that this fault mode should be exonerated. 
65 Due to system disturbances unrelated to the faults, and noise 
in the measurements, the decisions to exonerate or isolate 
faults are generally carried out following application of these 
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basic concepts through statistical-based filtering on windows 
of historical data, rather than on data at a single point in time. 
However, in the case of a system with sufficiently low distur- 
bances and noise, application with a window size of 1 (thus 
acting on one measurement vector at a time) is possible. 

Another key concept of the invention is to record a history 
of past and present deviation calculations. Functional block 
50 provides switching and storage based on when fault modes 
are active. Variably sized windows are used to collect data in 
several different bins, corresponding to: the deviation of the 
measurements from nominal, 52; the expected deviation from 
nominal — fault mode 1 at times when fault mode 1 is active, 
54, or inactive, 56; and the corresponding windows of data for 
all fault modes up through the last one, N, 58 and 60. 

In FIG. 4, all 5 windows shown appear to be the same 
length; however, they can be variable length. Also, the data 
here are all one-dimensional, as if a single sensoris present, or 
all measurements are combined to produce a single deviation 
value at each point in time; however more generally, the 
deviations will be vectors of measurements at each point in 
time. The independent variable here could be time or some 
other variable. 

Some example data is shown, corresponding to the case 
where fault mode 1 is true. 52 is drawn as a noisy signal that 
steps up briefly at two distinct times in the window of data. 
This noisy signal is drawn again as a dashed line in 54, 56, 58, 
and 60, where the expected deviations from nominal are also 
plotted. In this example, it is clear that fault mode 1 is the true 
fault mode since the expected deviations match the measured 
deviations at all times, including when fault mode 1 is active 
and inactive. Region 62 in 58 shows the extent to which the 
expected deviation from nominal — fault mode N deviates 
from the measured deviation from nominal, in the window, at 
times when fault mode N is active. Region 64 in 60 shows the 
corresponding value for times when fault mode N is inactive. 
The values corresponding to the deviations indicated by 62 
and 64 are calculated according to the appropriate statistics 
related to the problem at hand, choosing from options of: 
summation, integration, combination of elements at different 
times and different locations in the measurement vector by 
mean, median, sum of squares, root sum of squares, etc., all of 
which may be weighted according to the appropriate statis- 
tics, for example inversely weighted by the estimated mea- 
surement error covariance matrix. The specific methods used 
for this are carried out in 66, are problem-dependent, and no 
novelty is claimed in the specifics of that function. The output 
of 66 is a likelihood parameter corresponding to each fault 
mode, separated into times when it is either active or inactive. 
The term “likelihood parameter” is derived from the maxi- 
mum-likelihood theory that may be the preferred method to 
apply in 66, although in general, these are parameters to be 
chosen by an application-dependent method, so long as they 
reflect the closeness of match between the corresponding 
fault modes and the expected and measured deviations, at 
both active and inactive times, on an appropriately chosen 
window in time or other independent variable. In the pre- 
ferred embodiment, maximum likelihood theory is used, as 
this has been found to work well on the spacecraft thruster 
FDI application. 

FIG. 5 is a flowchart outlining the specific program logic 
executed each time an updated set of likelihood parameters is 
generated. For the spacecraft thruster FDI application 
example, this occurs following each thruster control 
period — a period during which all thrusters are held either on 
or off. Decision block 70, checks to see whether FDI is 
enabled. It may be appropriate to disable FDI updating at 
times when it is known that the sensors are excessively noisy. 
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system disturbances are excessively hi gh , etc. The remainder 
of the flowchart elements are described as part of the follow- 
ing detailed description of the invention as applied to space- 
craft thruster FDI. 

5 

DETAILED DESCRIPTION— AS APPLIED TO 
SPACECRAFT THRUSTER FDI 

The FDI method is described in detail as follows, using the 
to spacecraft thruster FDI application as an example. Unless 
otherwise stated, the specifics of the method refer to the 
preferred embodiment. 

At every control update, the disturbing acceleration on the 
spacecraft, a disturbil , 14, is calculated. This vector is com- 
15 pared with the vector of expected disturbing accelerations 
corresponding to each possible fault mode, a disturbing,^ 30 and 
32, in 42. After a fault is detected in 78, and once a clear match 
is determined in 88, the fault mode is isolated. Specifics 
regarding filtering and other calculations follow. 

20 Decision block 72 checks to see if the fault mode catalog 
requires initialization or update. If so a disturb i„ s p 30 and 32, is 
pre-calculated in 74 for every possible fault mode, i. Fault 
modes consisting of a plurality of atomic fault modes require 
further cataloging of each combination of faults that may be 
25 active at each time (for example, if jets 1 and 2 fail off 
simultaneously, the disturbing acceleration will be different 
for the three different firing permutations: #1 firing, #2 firing, 
and both #1 and #2 firing). This cataloging may be done 
pre-flight, and the values are may be updated periodically if 
30 the system model changes. This occurs in the spacecraft 
example if the nominal strength of all thrusters drops as the 
tanks empty or if updated mass- and thruster-property esti- 
mates become available. 

Decision block 76 checks to see if a fault has already been 
32 detected. If true, isolation will be pursued. If false, the fault 
detection logic is tested in 78. If a fault is still not detected 
following 78, decision block 80 will exit the FDI processing 
until an updated set of likelihood parameters is received. If a 
fault is detected in 80, the initial list of candidate faults is 
411 populated in 82 with all potential fault modes, and followed 
by an immediate exoneration of as many as possible in 84. 
Details on this exoneration procedure follow later. 

^disturbing* 14, the difference between the acceleration esti- 
mate based on measurements, and the acceleration expected 
based on the physical spacecraft model and thruster com- 
mands is calculated as follows. a. known _ systemJc and 

body 

^ q ^ known— system Ji 


are the physical-model based estimates of what the angular 
and translational accelerations should be at control update, k. 
55 This pair of3-by-l vectors is combined to create &h, ow „. S y Stem , 
a 6-by-l vector. They are calculated assuming no failures are 
present and all physical parameters are at their known values 
(nominal or identified, but not necessarily true). Thus, if an 
on-line identification method produced a better estimate of 
60 some system parameters than the nominal parameters, those 
may be used. Starting with the basic spacecraft rotational and 
translational equations of motion, making appropriate substi- 
tutions, and assuming translational accelerations are mea- 
sured in the body frame, the nominal accelerations are 
65 expressed as follows, where: co is a 3-by-l vector containing 
the angular velocity of the body-fixed frame with respect to an 
inertial reference frame; I, is a 3-by-3 matrix containing the 
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spacecraft inertia tensor (also, dyadic, matrix), measured 
about the true center of mass; the caret indicates estimated or 
identified quantities; L is a 3-by-n matrix containing x-y-z 
location of each thruster in the body frame; n is the number of 
thrusters; N is the number of fault modes; D is a 3-by-n matrix 
containing unit vectors indicating the direction of thrust in the 
body frame; F„ om is a n-by-n diagonal matrix containing 
nominal strength of each thruster at full tank pressure; T k is a 
n-by-1 vector of l’s and 0’s containing effective value for 
which thrusters fire at time step k, accounting for transient 
effects; % disUlrb is a 3-by-l vector containing sum of all torques 
on the vehicle resulting from other sources (drag, gravity 
gradient, separately modeled known thruster anomalies, 
CMG, RWA, and other calculable dynamic effects, etc.); m is 
a scalar containing total vehicle mass; 


/■body 
J disturb 


is a 3-by-l vector containing the net force on the vehicle 
through the center of mass, and the body superscript indicates 
measurement in the body frame: 

& = r\(LxD)F mm T k + T dislurb -«x(/b)) (1) 

X b °*=m-'(DF r ^T k+ fS H> ) (2 > 


Collecting relevant similar measurements prior to filtering 
is done in 50 — for example, collecting a disturbi estimates for 
cases when only jet #3 was commanded to fire. The need for 
collection is highlighted by the case in which a failed-off 
5 thruster might be commanded to fire infrequently for short 
durations. The information about the failure may be detect- 
able if this data is collected and examined together, whereas it 
may not be sufficiently persistent to be detected by a more 
10 conventional approach. Collection is implemented as fol- 
lows: the single & disturbi „ g vector is stored at all times; the 
history of each fault mode being active or inactive (and sub- 
mode information for the multi-jet case) is also stored. 

Windowing these collections of measurements is also done 
in 50 to enable detection of an abruptly appearing thruster 
fault, while also allowing accurate isolation once a fault is 
detected. To maximize the noise reduction from filtering, it 
would be good to maximize the window size. However, this 
20 will compromise the detection of abrupt faults — if the filter 
uses data from before the fault occurred, as well as after- 
wards. Optimal selection of the window size used for fault 
detection requires consideration of the noise reduction 
needed, the acceptable time before detection, as well as the 
25 relative costs of false positives and failed detection (risk opti- 
mization). Also, a minimum number samples of active data is 
required before maximum likelihood FDI analysis is allowed 
to proceed for a given fault mode. 


d known- system,k 


— / ( [I-/ X D^j F nom T command, k 4 " T disturb d) ^ (^^)) 


(3) 30 


..body 

known-system, k 


^ body 

WL DF nom T command Jc 4 " f disturb 


(4) 


The disturbing accelerations, 14 , can then be calculated as: 


» 4 „ 

Cl disturbing — Cl — ttfcrio wn-system — 


Cl disturbing 
/■ body 
* disturbing 


^ CX & known-system 

= ^ _ body 

A A known-system 


(5) 


40 


a may be estimated from the measurements using the 
derivative filtering method presented later, otherwise, a and 
x should be estimated from the measurements using the 
best means possible that does not rely on knowledge of 
thruster properties, and that produces a value correlated with 50 
the thruster performance during the control period (i.e., not 
time-shifted). If both gyros and accelerometers are present (or 
some other method for estimating angular and translational 
accelerations), then FDI can proceed using all 6 degrees of 
freedom; however, the FDI can proceed with whatever subset 55 
of these 6 measurements is available. 

Collecting, windowing, and filtering measurements for 
individual fault modes. If the signal-to-noise ratio were high 
enough and each fault mode signature (a disturbing,,) were 
unique (or sufficiently separable in the noise present), maxi- 60 
mum likelihood FDI analysis of the a disturbi „ s readings could 
be carried out on the values at each time step, as was done by 
Deyst in the prior art. However, this is often not possible due 
to: excessive sensor noise; unknown system model variations; 
disturbances; and the existence of fault modes with similar 65 
a disturbing^- T° address this, the data is collected and win- 
dowed as follows: 


The windowing situation changes slightly following detec- 
tion. Since the problem statement says that only a single fault 
mode (possibly affecting multiple jets) will appear, once it is 
detected, the window can begin at the time of detection and 
grow without bound. To gain a few extra samples, conserva- 
tive analysis can allow a number of samples before detection, 
reasoning that the fault was present for some time prior to 
detection. These extra samples may be important in allowing 
fast fault isolation. 

However, the calculation of \„ actived following detection 
keeps a finite sliding window. The rationale for this may 
become clearer when X inactivel is discussed, but basically this 
measurement is intended to spike up when the true fault 
becomes active, thus allowing this fault to be declared false. 
Since the true fault mode is not known, the best window for 
X calculation cannot be known. The best that can be done 

inactive j 

is to continue to use a sliding window and to hope that the true 
fault will appear for long enough during that window to raise 
X i„acuve ,i above the prescribed threshold and allow for this 
fault to be declared false. In cases where the basic signal-to- 
noise ratio in the calculation of 14 varies in time, it may be 
beneficial to adjust the window sizes and minimum-sample 
requirements to enable the decision making to use more data. 
Increasing these parameters will result in slower detection 
and isolation, but will improve accuracy. 

Once the data has been collected and windowed in 50, it is 
statistically combined, or filtered in 66 to reduce the effects of 
noise in the calculation of the likelihood parameters. Since it 
is known that failures will occur abruptly, this windowing and 
filtering method is preferred over an infinite impulse response 
(IIR, e.g., exponential) filter that would carry through infor- 
mation for longer. The implementation as described here 
avoids introducing any phase lag between the cause (thruster 
firings) and effect (vehicle motions), as would be introduced 
by a linear IIR or Kalman Filter, that would bias the FDI. 
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One of the challenges of FDI for systems with on-off 
actuators is that failures are only observable when active. For 
example, “off” failures are observable only when the jets are 
commanded to fire. For each fault mode, only the relevant 
a measurements, 14 and 52 , are used to calculate 

A disturbing ^ 

& disturbing,active,i ^d 3 distur bi„gj na cti V ejs which are M-tUm USed 

to _ calculate k actlvei , k inactived , and k inactived0 . 
So a j istur bing,active,i ' s calculated as the mean over a window of 
a disturbing data during which fault mode i was active, and 
a^ 4 uses ^disturbing data during which fault mode i was 
not active. 

The preferred embodiment for 66 uses maximum likeli- 
hood theory. Although the acceleration estimator is nonlinear 
and sub-optimal, it is reasonable to assume that the estimated 
disturbing acceleration readings, a disturbing , are normally dis- 
tributed about the disturbing acceleration values, a disturbi „ g . 
corresponding to the true fault mode. So the probability den- 
sity for the true disturbing acceleration values, a disturbi ,, 
conditioned on the measurement history M, is [Deyst 1976] 
[Gelb 1974] 
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If P„ _1 is diagonal (as it commonly is assumed to be), the 
calculation may be simplified by bringing the P a _1 term out of 
the summation. Since different X’s are calculated using dif- 
ferent numbers of samples, each k is normalized by dividing 
5 by the number of samples used to calculate it. 

This expression is calculated and used both to detect and to 
isolate failures. When fault mode i is true, there will be a close 
match between a disturbingd and a dlsturhmgactive ^ resulting in a 
low value for k active ,. Calculation of k active ; may be halted 
to once a fault mode has been isolated. Alternatively, it may 
continue, ensuring validation of the isolation decision, or the 
FDI process may be re-initialized following isolation to 
detect and isolate further faults. 

The approach taken in the prior art [Deyst 1 976] basically 
15 makes tins above calculation ofk inactive „ without the preced- 
ing collection, windowing, and filtering. It is then used 
directly for fault detection and isolation, without the follow- 
ing k inactivei calculations and additional post-processing. 

The likelihood argument, k inactive t , is calculated using data 
20 from periods where the fault mode was inactive, as follows: 


P {((disturbing,* I M ^ ' 
^\P a \~^^€ ~'i{\ a disturbing,*~ddisturbing] [^disturbing,*— d disturbing]) 


25 


inactive ,i ~~ ^ {((disturbing, inactive,! ^ disturbing, inactive ,i ) 

b 

fg t d distutbir.g .inactive ,i ~ ((disturbing, inactive ,! ) 


(9) 


n^is the number of degrees of freedom used in the FDI, 
and P a is the estimation error covariance of the disturbing 
acceleration. When multiple measurement samples are con- 
sidered, the probabilities multiply: 


a disturbing^,, active^ is the disturbing acceleration that would 
be expected if fault mode i were true, when fault mode i is 
inactive. This is zero, allowing for simplification to 


Piadisturbing,, I M) = [“I {2n)-"^ 2 \Pa\- 112 
k 

£~ 2 ^disturbing,* disturbing ] ^ [ a disturbing,* ~ d disturbing ]) 

= ( 2 n)~ ndo f kmax ^ 2 \P a | - *max/2 

| | <g~ 2 i[ a disturbing,* -^disturbing ] \ a disturbing,* -^disturbing ]) 

k 

= (2n)~ nd °f kmaxl2 \P a \ ~^max/2 

* T i. ([ a disturbing .* A disturbing ] F disturbing .* disturbing ]) 

— (■ 2ti f^dof^nttcpr |p | — ^ max ibgC ] ^active. j 


The summation over k indicates the use of measurements at 


k different times, with the size of this window determined as 
described above. 

Given disturbing acceleration measurements, a disturbi „ g , 
and knowing the disturbing acceleration values correspond- 
ing to each possible fault mode, a disturbingi , the most likely 
fault mode is found by finding the a disturbing t that maximizes 
this probability density function. The subscript i indicates the 
fault mode number corresponding to the disturbing accelera- 
tion. This function is maximized when the likelihood argu- 
ment, k actived , in the following expression is minimized: 


- {^disturbing. i d, i:\tur rung, uctive.i ) 


( 8 ) 


t'r {(( disturbing ,i d duct urtcr.g. active, i ) 
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^ inactive ,i — {(^disturbing, inactive.i) T, ( ((disturbing, inactive,i ) 


( 10 ) 


The likelihood parameter, k inactivet is used to exonerate 
55 fault modes following detection and prior to isolation, so it 
does not need to be calculated at other times. 

When fault mode i is true, k inactived will have a low value, 
just as k activei does. Flowever, when fault mode i is not true, it 
60 will have a high value whenever the true fault mode is active, 
and a low value at other times. The k inactivei values are moni- 
tored for spikes, and when the value exceeds a threshold, fault 
mode i is exonerated, and removed from consideration as a 
candidate from that point forward (note that this processing 
65 occurs only after fault detection). 

The likelihood parameter, k actlve l0 , is calculated using data 
from periods where fault mode i was active, as follows: 
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^active, iO — ^ (0 ®disturbing.activc,i) ^ (0 @dislurbing 7 aclive,i') ^ ^ 


Kctivej o measures the likelihood that a disturbing actlve i could 
have resulted even though no failures (none at all, not just that 
fault mode i is not true) were present (that is why 
& disturbing, i = ®)- When fault mode i is true, X active ^ 0 will have a 10 
high value, and when no failures are present, it will have a low 
value. The ratio between ’k acttvei and X aativeti0 is monitored to 
detect faults, as follows: 

At each FDI update, for each possible fault mode, ’k activei is 
evaluated using the windowed readings. The likelihood argu- 15 
ment corresponding to no failure, X a< , nV(v . 0 , is evaluated using 
the same windowed relevant readings, but with zero substi- 
tuted for a disturbingi . So X a ative,io should be low ( a close 
match) when no fault mode (including i) is true. The ratio of 
likelihood arguments is calculated as 20 


A ^-active, i ■ 1 2) 


A fault is detected in 78 when "k ratto4 falls below a thresh- 
old; this is a generalized likelihood ratio test. The calculation 
of Ucrtve,; o and use °f the ratio in fault detection (as compared 
to using a fixed threshold for ’k acHx , e , i ) is less susceptible to an 
incorrect value and distortion by other fault modes (e.g., 
when fault mode j is active, it will affect calculations of 
X . and 1r lnactive j). Further tests are then performed before 
isolating a particular fault mode, as described below. Evalu- 
ation of individual X a£ , nVe i0 ’S for each fault mode is critically n 
important — evaluating "k active 0 based on all (windowed) data 
may not indicate a failure if a failed-off thruster has not fired 
recently. 

Immediately following fault detection in 78, the finite list 
of possible fault modes is analyzed to see if any can be 4(| 
exonerated in 84. For example, if a fault mode has never been 
active since the initialization of the FDI system, it can be 
exonerated at this time. Once a fault mode is exonerated, no 
further calculations of likelihood parameters are required. 

Then, and again at each FDI update, the likelihood argu- 45 
ments, X acnvB t and \ nacttve ,„ are calculated using all relevant 
data since the time of detection and compared to certain 
thresholds and to each other. If a fault mode is true, both 
X . and ^-inactive,! should be low, indicating the fault mode i 
fits the data well when it is both active and inactive. This is 50 
used first to exonerate fault modes in 86 — if ~^ activei or 
^■inactive j ever rise above a threshold (as they would whenever 
the data does not match well with fault mode i being true), 
fault mode i is exonerated. 

This additional step that allows for fault modes to be exon- 55 
erated is important for improving the speed and accuracy of 
the FDI. In some cases, a fault is correctly identified by 
process of elimination — all other fault modes are exonerated. 
Analysis and removal of false fault modes that are similar to 
the true one enables more discriminating decision thresholds 60 
to be set, improving accuracy. 

For a fault to be isolated in 88, ~K active i must be below a 
“low” threshold, indicating a very close match, while no other 
faults are below a higher threshold. 

Some faults are virtually indistinguishable from one 65 
another in terms of the resulting a disturbi „ g . Unfortunately, it is 
not uncommon for mode activations to be synchronized due 
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to the control system. For example, consider two jets, A and 
B, that are physically opposite one another (i.e., the accelera- 
tion vectors are opposite). If A fails off it may be commanded 
to fire continuously since no control thrust is produced and B 
is not likely to be fired at all since it would be pushing in the 
opposite direction. In this situation, the fault modes for both 
jet-A-off and jet-B-on are active. So in the extreme limit 
where the nominal accelerations from A and B are identical 
and the activations are exactly synchronized, it is mathemati- 
cally impossible (the information is not there) to distinguish 
between these two fault modes. 

Another alias problem occurs in cases a plurality of thrust- 
ers are fired open-loop in sets of multiple thrusters at a time 
and sets of them have near-identical fault signatures. This can 
be addressed by adjusting the firing pattern to isolate the 
failed thruster, once the failure has been identified, the pattern 
is left in a state that makes the failure inactive, providing 
reconfiguration as well as FDI in this case. FDI -driven exci- 
tation of fault modes such as this example is generally valu- 
able in expediting the isolation. 

Following isolation in 88, one approach may be to assume 
that this was the only fault mode that will appear (as presented 
in the problem statements for the various spacecraft), and that 
the isolation was done correctly. This would enable the halt- 
ing of all FDI monitoring calculations. However, if further 
verification is desired, it is possible to continue to calculate 
and monitor the likelihood parameters (perhaps with modi- 
fied windowing) to see if the isolation decision was incorrect. 
Alternatively, additionally, or subsequently, once a fault 
mode is isolated, it may be accepted as a true fact. At this 
point, the entire FDI monitoring system may be re-initialized 
with this knowledge, as in 92, enabling detection and isola- 
tion of other fault modes. 

Application of the present invention to thruster FDI is 
based fundamentally on analysis of the vehicle acceleration 
that results during thruster firings. The estimated accelera- 
tion. a (consisting of estimated angular acceleration, a and 
estimated translational acceleration, x body ), is required at 
each FDI update. If it is not directly measurable, it must be 
estimated. In one application, one would estimate a using rate 
gyros and translational accelerometers, but the choice of sen- 
sors and the estimation method used are both independent of 
the FDI method. If it canbe assumed that the thrust is constant 
during each control sample period, and the FDI algorithm 
requires estimates of accelerations corresponding to these 
control sample periods, then it is therefore important that any 
significant phase lag produced by the estimation method be 
avoided, as that would distort the estimated correlation 
between the thruster command and resulting acceleration. It 
is also important that the estimation method accounts for the 
fact that thruster faults may be present — and does not make 
use of thruster knowledge in the estimation. 

A novel approach was developed to provide accurate angu- 
lar acceleration estimates from the gyro signals. In this 
approach, the segment of raw gyro readings covering the 
control segment of interest (during which thrust should be 
constant) is low-pass filtered with a forward-backward zero- 
phase smoothing filter to remove high frequency structural 
vibrations and vibration-induced ringing of the gyro’s tuning 
fork. A line is then fit using a linear least squares regression to 
the smoothed result, with the slope of the line providing the 
angular acceleration estimate. Since it used only samples 
taken during the thruster firing of interest, the estimate is thus 
properly correlated with the thruster firing that caused it. 
Also, no reliance on thruster properties was made in the 
estimate. 
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This approach for estimating acceleration by determining 
the slope of a line fit to the velocity data clearly generalizes to 
a method for computing the average derivative across a seg- 
ment of samples. 

Since one of the ways to implement this FDI is as part of a 5 
real-time processing system, it is desirable to implement tills 
derivative filter using as little code memory, processor cycles, 
and software development time as possible. A novel approach 
was developed that takes advantage of the fact that both 
low-pass filtering and least-squares line fitting act as linear to 
operations on the data, meaning that the combination of the 
two is also linear. This means that the two-step procedure can 
be implemented as a single vector multiplication of a vector 
of filter coefficients with the data segment. Further, the vector 
of filter coefficients can be determined through a process 15 
whereby each point, one at a time, is set to one and the 
two-step filter process output then equals the value of the 
corresponding coefficient. 

Having shown preferred embodiments for the general form 
of the invention and as applied to a specific application, those 20 
skilled in the art will realize many variations are possible 
which will still be within the scope and spirit of the claimed 
invention. Therefore, the scope of the invention is to be lim- 
ited only as indicated by the following claims. 

The invention claimed is: 25 

1. A method for detecting and isolating intermittently 
observable fault modes in a system having models describing 
its behavior and one or more measurements that are sampled 
regularly, said method comprising: 

(a) said models and computing capacity to calculate past 30 
and present measurements that would result from said 
system with no faults, as well as from said system with 
one or more potential fault mode candidates; 

(b) algorithms to calculate and store deviations between 
said calculated measurements and either actual mea- 35 
surements or an abstraction of said actual measurements 

as returned by a filtering function; 

(c) detection algorithms using said calculated deviations at 
times or states comprising present and historical data to 
declare when one of said fault mode candidates or 4 
anomalies in the data un-related to said fault modes 
becomes possible; 

(d) exoneration algorithms using said calculated deviations 
to remove certain fault mode candidates from consider- 

45 

ation as a potential fault mode, thereby making the deci- 
sion making in the final step simpler and more robust; 
and 
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(e) isolation algorithms using said calculated deviations to 
declare which one of remaining said potential fault 
mode candidates is the true fault mode. 

2. The method of claim 1, wherein the system is controlled 
with on-off actuators and the fault modes are hard-off or 
hard-on actuator faults. 

3. The method of claim 1, wherein the system is a thruster- 
controlled spacecraft, and the fault modes are thruster faults. 

4. The method of claim 3, wherein the method is imple- 
mented on-board said spacecraft using the main spacecraft 
processor. 

5. The method of claim 3, wherein the method is imple- 
mented on-board said spacecraft using a secondary processor 
communicating with said main spacecraft processor. 

6. The method of claim 3, wherein the method is imple- 
mented off-board said spacecraft, including at a ground sta- 
tion, performing said calculations based on telemetry from 
said spacecraft, and communicating the results back to said 
spacecraft. 

7. The method of claim 3, wherein said measurements are 
obtained from one or more of the following sensors: gyro- 
scopes of all varieties, accelerometers, star trackers, sun sen- 
sors, horizon sensors, video cameras, directional antennae, 
radar, and other measurements that directly or indirectly 
relate to spacecraft motions. 

8. The method of claim 1, wherein said model or models 
are adapted to match system outputs during periods where no 
failures are present, as with a neural network. 

9 . The method of claim 1, further including the case where 
it is implemented sequentially, whereby once a fault mode is 
correctly detected and isolated, said method is re-initialized 
with this information to enable detection and isolation of any 
subsequently occurring faults. 

10. The method of claim 1, wherein the application is to a 
system where a real-time controller exists, to be implemented 
either on the real-time processor, on a secondary processor as 
part of the system, on a processor that is separate from the 
system, or by manual implementation of said method, where 
communication of required signals and results would occur 
for the latter two instances. 

1 1 . The method of claim 1 , further including the case where 
excitation logic is used to dynamically adjust system inputs to 
improve the ability of said method to discern between a 
plurality of candidate fault modes, with said adjustments 
made as to minimize any negative impact on overall system 
performance. 





